Blacklist certain leaf certificates.

BUG=none TEST=none Review URL: http://codereview.chromium.org/6670065 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@78478 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-03-17 00:48:21 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-03-17 00:48:21 +0000
commit: 694ca4839764363f71a72760bf7c9daabbcd1f12 (patch)
tree: e3193dcb4970563dc52beaeac684220ac346f05f /net/base/x509_certificate_mac.cc
parent: 2a6ea68fbd7654a146971b4201eab59c3e1ffbc9 (diff)
download: chromium_src-694ca4839764363f71a72760bf7c9daabbcd1f12.zip
chromium_src-694ca4839764363f71a72760bf7c9daabbcd1f12.tar.gz
chromium_src-694ca4839764363f71a72760bf7c9daabbcd1f12.tar.bz2
1 files changed, 31 insertions, 0 deletions
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 839e91e..254469e 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -229,6 +229,31 @@ void GetCertDateForOID(X509Certificate::OSCertHandle cert_handle,
   }
 }
 
+std::string GetCertSerialNumber(X509Certificate::OSCertHandle cert_handle) {
+  CSSMFields fields;
+  OSStatus status = GetCertFields(cert_handle, &fields);
+  if (status)
+    return "";
+
+  std::string ret;
+  for (size_t field = 0; field < fields.num_of_fields; ++field) {
+    if (!CSSMOIDEqual(&fields.fields[field].FieldOid,
+                      &CSSMOID_X509V1SerialNumber)) {
+      continue;
+    }
+    ret.assign(
+        reinterpret_cast<char*>(fields.fields[field].FieldValue.Data),
+        fields.fields[field].FieldValue.Length);
+    break;
+  }
+
+  // Remove leading zeros.
+  while (ret.size() > 1 && ret[0] == 0)
+    ret = ret.substr(1, ret.size() - 1);
+
+  return ret;
+}
+
 // Creates a SecPolicyRef for the given OID, with optional value.
 OSStatus CreatePolicy(const CSSM_OID* policy_OID,
                       void* option_data,
@@ -486,6 +511,7 @@ void X509Certificate::Initialize() {
                     &valid_expiry_);
 
   fingerprint_ = CalculateFingerprint(cert_handle_);
+  serial_number_ = GetCertSerialNumber(cert_handle_);
 }
 
 // static
@@ -664,6 +690,11 @@ int X509Certificate::Verify(const std::string& hostname, int flags,
                             CertVerifyResult* verify_result) const {
   verify_result->Reset();
 
+  if (IsBlacklisted()) {
+    verify_result->cert_status |= CERT_STATUS_REVOKED;
+    return ERR_CERT_REVOKED;
+  }
+
   // Create an SSL SecPolicyRef, and configure it to perform hostname
   // validation. The hostname check does 99% of what we want, with the
   // exception of dotted IPv4 addreses, which we handle ourselves below.
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-03-17 00:48:21 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-03-17 00:48:21 +0000
commit	694ca4839764363f71a72760bf7c9daabbcd1f12 (patch)
tree	e3193dcb4970563dc52beaeac684220ac346f05f /net/base/x509_certificate_mac.cc
parent	2a6ea68fbd7654a146971b4201eab59c3e1ffbc9 (diff)
download	chromium_src-694ca4839764363f71a72760bf7c9daabbcd1f12.zip chromium_src-694ca4839764363f71a72760bf7c9daabbcd1f12.tar.gz chromium_src-694ca4839764363f71a72760bf7c9daabbcd1f12.tar.bz2